President Biden orders surveillance reforms two years after Schrems II
Long-awaited executive order strives to enhance and revive the invalidated Privacy Shield FrameworkPresident Biden today issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the EO), aimed at addressing the widespread legal uncertainty that has prevailed with respect to transatlantic data transfers since the Schrems II decision by the Court of Justice of the European Union (CJEU or the Court) in July 2020.
Following last spring’s joint US-EU announcement of a “deal in principle” on an enhanced EU-U.S. Privacy Shield Framework (Privacy Shield), the EO directs US intelligence agencies to take steps to implement US commitments under the renamed EU-U.S. Data Privacy Framework (the DPF). The EO, along with a series of letters from US agencies to the EU, will serve as the basis for a draft adequacy decision by the European Commission, which must then be formally approved by EU Member State representatives.
Today’s order attempts to resolve the Schrems II Court’s concerns about US intelligence agencies’ access to EU individuals’ personal data. In its ruling, the CJEU struck down the 2016 adequacy decision for Privacy Shield, finding that the European Commission failed to establish that protections in US law governing such access meet EU privacy standards.
At the same time, the Schrems II Court imposed on companies that use other EU-approved data transfer mechanisms the new and unprecedented obligations of (1) verifying on a case-by-case basis whether a recipient country’s legal protections relating to government access to data satisfy EU law and (2) assuming the responsibility of either implementing supplementary measures or suspending transfers when they do not.
1. The Executive Order
In response to the CJEU’s concerns, the EO spells out and formalizes the three key US commitments announced previously by the Biden administration:
- Additional safeguards: To ensure further safeguards with respect to US intelligence agencies’ signals activities, the EO requires that such activities (1) be conducted only when necessary and proportionate to advance “legitimate” national security objectives that have been “validated” by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO) and (2) take into consideration “the privacy and civil liberties of all persons, regardless of nationality or country of residence.”
-
Enhanced oversight: To ensure compliance with these new directives, the EO directs US intelligence agencies as follows:
- Update and publish policies: Agencies must update their policies and procedures as necessary to implement the privacy and civil liberties safeguards in the EO.
- Designate compliance officials: Agencies must also “have in place senior-level legal, oversight, and compliance officials who conduct periodic oversight of signals intelligence activities, including an Inspector General, a Privacy and Civil Liberties Officer, and an officer or officers in a designated compliance role” with the authority to remediate incidents of non-compliance.
- Redress mechanism: To review and resolve complaints concerning US signals intelligence activities, the EO establishes a two-tier system of redress for individuals:
- CLPO investigation: The first layer requires the CLPO to conduct an initial investigation of qualifying complaints to determine whether the EO’s additional safeguards or other applicable US law were violated, and, if so, to determine the appropriate remediation.
- Binding effect: The EO provides that, subject to any contrary determination by the Data Protection Review Court (below), “[e]ach element of the Intelligence Community, and each agency containing an element of the Intelligence Community, shall comply with any determination by the CLPO.”
- Independence: In addition, the EO prohibits the Director of the Office of National Intelligence from interfering with the CLPO’s review of any qualifying complaint or removing the CLPO for any actions taken pursuant to the EO.
- Data Protection Review Court: The EO authorizes and directs the US Attorney General to establish a Data Protection Review Court (the DPRC) to provide independent and binding review of the CLPO’s decisions.[1] DPRC judges will be appointed from outside the US government, have relevant data privacy and national security experience, review cases independently and enjoy protections against removal. DPRC decisions regarding violations of applicable US law (and appropriate remediation) will also be binding. Moreover, the DPRC will select a special advocate in each case to advocate on behalf of the complainant.
- CLPO investigation: The first layer requires the CLPO to conduct an initial investigation of qualifying complaints to determine whether the EO’s additional safeguards or other applicable US law were violated, and, if so, to determine the appropriate remediation.
2. Near-term benefits, long-term uncertainty
With the European Commission set to issue a draft adequacy decision on the basis of the EO and US agency letters in the coming weeks, and with EU adoption of that decision currently expected in the spring of 2023, the new US commitments should soon yield some much-anticipated relief for companies that do business in the EU:
- Legal clarity: Because an adequacy decision would recognize the US as providing a level of data protection that is “essentially equivalent” to that of the EU, it should restore some near-term clarity and predictability around transatlantic data transfers.
- Transfer impact assessments: Companies that move personal data – via any EU-approved transfer mechanism – would no longer have to conduct the complex and onerous case-by-case analyses of US law and practice concerning government access to data.
- DPA enforcement: As EU Member State data protection authorities are legally obligated to honor any final adequacy decision, they could no longer suspend a company’s data transfers to the US on grounds relating to US intelligence agencies’ access to such data (as DPAs in Austria and France did earlier this year with Google Analytics and Ireland’s Data Protection Commissioner is currently seeking to do with Meta).
- Operational effectiveness: Adequacy would also re-enable the clear, predictable and affordable Privacy Shield program, which allowed companies to remain in compliance with EU data protection law by annually certifying their adherence to the Privacy Shield Principles through the US Department of Commerce (today’s EO updates and retitles them the “EU-U.S. Data Privacy Framework Principles”).[2]
Despite these benefits, however, the long-term durability of any new US adequacy decision remains unclear at best. On the one hand, such a decision is all but certain to find its way back to the CJEU for review based on a variety of alleged shortcomings:
- Executive action is insufficient: Although executive orders have the force of law, EU privacy advocate, Max Schrems, has long made clear his expectation that, absent any US legislative changes to address the CJEU’s concerns, his (or another) group will bring new legal challenges within months of any final adequacy determination.
- The redress mechanism is deficient: On paper, at least, the proposed two-tier redress mechanism seems to satisfy the EU’s “essential equivalence” standard, particularly in view of the DPRC’s independence and authority to issue legally binding decisions, as well as the fact that comparable national authorities in the EU are quasi-judicial or administrative bodies (and not courts or tribunals in the strict sense). That said, opponents of an adequacy decision for the DPF may assert that the Supreme Court’s recent ruling in FBI v Fazaga undermines an EU individual’s rights to actionable redress and an effective remedy in the US (as the decision upheld the US government’s use of the state-secret privilege in cases brought by individuals alleging illegal use of the Foreign Intelligence Surveillance Act by US authorities).
- The CLOUD Act is unaddressed: Although law enforcement access to data was not at issue in Schrems II, many EU companies have concerns that data held by US affiliates, partners and vendors could be accessible to US authorities under the 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The law codified the longstanding US practice of authorizing law enforcement agencies to issue subpoenas or search warrants to obtain data stored outside the US from US-based service providers. It also established a framework for foreign governments to enter into agreements with the US to facilitate cross-border data transfers for law enforcement purposes (such as the U.S.-UK Data Access Agreement that entered into forced on October 3, 2022).
On the other hand, rapidly evolving developments in the US and around the world might finally mark a turning point in the ongoing clash between EU individuals’ privacy rights and US national security policy. In the coming years, for example, three developments in particular could help facilitate the cross-border data flows that have become indispensable to businesses’ operations, cybersecurity and resilience:
- Principles for government access to data: Since 2020, the OECD has been working to formulate common principles governing member countries’ access, for national security and law enforcement purposes, to personal data held by the private sector. Multilateral consensus on such principles in 2023 could go a long way toward resolving the core concern in Schrems II.
- Comprehensive federal privacy legislation: Earlier this year, moreover, Congress proposed the first federal “omnibus” data privacy bill to gain both bipartisan and bicameral support. If enacted, the American Data Privacy and Protection Act could address the widely held view in the EU that the current federal patchwork of sectoral and data sensitivity-based laws in the US cannot be relied upon to provide adequate protection for personal data transferred from the EU.[3]
- The Global Cross-Border Privacy Rules (CBPR) Forum: Launched in April 2022 by the US, Japan, Singapore, Canada, South Korea and the Philippines, the Global CBPR Forum seeks interoperability of national data standards among like-minded democracies. The UK is reportedly working with Forum members on how to reach a potential understanding with the EU on data flows (such as recognition of the CBPR Framework as an approved code of conduct under Article 40 of the GDPR).
3. Next steps
Notwithstanding significant political and industry backing on both sides of the Atlantic, a final adequacy determination on the DPF is by no means guaranteed. Under the EU’s comitology procedure, once the European Commission completes its draft adequacy decision, the European Data Protection Board (EDPB) will issue a non-binding (but nevertheless influential) opinion on it, and a “qualified majority” of at least 55 percent of the EU Member States must then approve the draft. The European Parliament may also elect to issue its own non-binding resolution on the draft adequacy decision for the DPF at any point before the European Commission formally adopts it.
Accordingly, until a final adequacy determination is in place – and the DPF is implemented – companies that move EU individuals’ personal data to the US should continue to comply with the Schrems II judgment and the guidance issued by the EDBP:
- Map data transfers: Identify their transfers, including onward transfers and sub-processing chains.
-
Select a transfer mechanism: Verify the EU-approved transfer tool on which they will rely (eg, Standard Contractual Clauses, Binding Corporate Rules, ad hoc contractual clauses or a GDPR derogation).
-
Assess US law and practice: Document whether their transfer mechanism is effective in view of US law and the practice:
- Law: In accordance with the European Essential Guarantees, companies must confirm whether US law:
- Affords clear, precise and accessible rules
- Ensures that processing is necessary and proportional with regard to legitimate objectives
- Includes an independent oversight mechanism and
- Makes effective remedies available to individuals
- Practice: In addition, companies must assess whether, in practice, the operation of US government agencies undermines US law.
- Law: In accordance with the European Essential Guarantees, companies must confirm whether US law:
- Adopt supplemental measures: If their assessment indicates that EU individuals’ personal data will not be protected under US law or practice, companies must adopt supplementary measures that may include technical, contractual or operational safeguards.
For the nearly 3,000 companies that have maintained their Privacy Shield certifications since the Schrems II decision, a new adequacy determination should permit them to avail themselves of the updated DPF relatively quickly. Companies not currently certified would need to start the DPF certification process from scratch.
For more information on President Biden’s executive order and the EU’s anticipated adequacy decision for the DPF, please contact the author.
[1] In accordance with the EO, Attorney General Merrick Garland signed a new regulation establishing the DPRC on October 7, 2022.
[2] Reportedly, the EU-U.S. Data Privacy Framework Principles will differ in minor, non-substantive ways from the Privacy Shield Principles (eg, replacing references to the EU’s Data Protection Directive 95/46/EC which was superseded by GDPR in 2018).
[3] To date, the U.S. has never requested a “full” adequacy determination, and the EU has never officially found the overall U.S. approach to privacy to be either adequate or inadequate. Privacy Shield and its predecessor, the 2000 Safe Harbor framework, were more limited adequacy decisions.